Gabatarwar
Kwanan nan, shahararriyar Kubernetes tana haɓaka da sauri - ƙarin ayyuka da yawa suna aiwatar da shi. Ina so in taba wani makada kamar Nomad: ya dace da ayyukan da suka riga sun yi amfani da wasu mafita daga HashiCorp, alal misali, Vault da Consul, kuma ayyukan da kansu ba su da rikitarwa dangane da abubuwan more rayuwa. Wannan kayan zai ƙunshi umarni don shigar da Nomad, haɗa nodes biyu cikin gungu, da kuma haɗa Nomad tare da Gitlab.
Gwajin tsayawa
Kadan game da benci na gwaji: ana amfani da sabobin kama-da-wane guda uku tare da halayen 2 CPU, 4 RAM, 50 Gb SSD, haɗin kai zuwa cibiyar sadarwar gida gama gari. Sunayen su da adireshin IP:
- nomad-livelinux-01: 172.30.0.5
- nomad-livelinux-02: 172.30.0.10
- Consul-livelinux-01: 172.30.0.15
Shigar da Nomad, Consul. Ƙirƙirar gungu na Nomad
Bari mu fara da shigarwa na asali. Kodayake saitin ya kasance mai sauƙi, zan kwatanta shi don kare mutuncin labarin: an ƙirƙira shi da gaske daga zayyanawa da bayanin kula don saurin shiga lokacin da ake buƙata.
Kafin mu fara aiki, za mu tattauna sashin ka'idar, saboda a wannan mataki yana da mahimmanci don fahimtar tsarin da zai gaba.
Muna da nod nomad guda biyu kuma muna so mu haɗa su cikin gungu, kuma a nan gaba za mu buƙaci sikelin cluster ta atomatik - don wannan muna buƙatar Consul. Tare da wannan kayan aiki, tari da ƙara sabbin nodes ya zama aiki mai sauƙi: Ƙirar Nomad ɗin da aka ƙirƙira ya haɗu da wakilin Consul, sannan ya haɗa zuwa gungu na Nomad. Don haka, a farkon za mu shigar da uwar garken Consul, mu tsara ainihin izini na http don rukunin yanar gizon (ba tare da izini ba ta tsohuwa kuma ana iya samun damar shiga a adireshin waje), haka nan kuma wakilin Consul na kan sabar Nomad, bayan haka. za mu ci gaba zuwa Nomad kawai.
Shigar da kayan aikin HashiCorp abu ne mai sauqi qwarai: da gaske, kawai muna matsar da fayil ɗin binary zuwa bin directory, saita fayil ɗin sanyi na kayan aiki, da ƙirƙirar fayil ɗin sabis ɗin sa.
Zazzage fayil ɗin binary na Consul kuma buɗe shi cikin kundin adireshin gida na mai amfani:
root@consul-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# mv consul /usr/local/bin/Yanzu muna da shirye-shiryen binary na consul don ƙarin daidaitawa.
Don yin aiki tare da Consul, muna buƙatar ƙirƙirar maɓalli na musamman ta amfani da umarnin keygen:
root@consul-livelinux-01:~# consul keygen
Bari mu ci gaba don saita tsarin Consul, ƙirƙirar directory /etc/consul.d/ tare da tsari mai zuwa:
/etc/consul.d/
├── bootstrap
│ └── config.jsonLittafin jagorar bootstrap zai ƙunshi fayil ɗin sanyi config.json - a ciki za mu saita saitunan Consul. Abinda ke ciki:
{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "your-key",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.30.0.15"]
}Mu kalli manyan umarni da ma'anarsu dabam:
- bootstrap: gaskiya. Muna ba da damar ƙara sabbin nodes ta atomatik idan an haɗa su. Na lura cewa ba mu nuna a nan ainihin adadin nodes da ake sa ran ba.
- uwar garken: gaskiya. Kunna yanayin uwar garken. Consul akan wannan na'ura mai kama-da-wane zai yi aiki a matsayin uwar garken kawai kuma jagora a yanzu, VM na Nomad zai zama abokan ciniki.
- Datacenterku: dc1. Saka sunan cibiyar bayanai don ƙirƙirar tari. Dole ne ya zama iri ɗaya akan abokan ciniki da sabobin.
- encrypt:-ku-ku. Maɓallin, wanda kuma dole ne ya zama na musamman kuma ya dace akan duk abokan ciniki da sabar. An ƙirƙira ta amfani da umurnin keygen na ofishin jakadanci.
- fara_join. A cikin wannan jerin muna nuna jerin adiresoshin IP waɗanda za a haɗa su. A halin yanzu muna barin adireshinmu kawai.
A wannan gaba za mu iya gudanar da consul ta amfani da layin umarni:
root@consul-livelinux-01:~# /usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -uiWannan hanya ce mai kyau don yin kuskure a yanzu, duk da haka, ba za ku iya amfani da wannan hanyar a kan ci gaba ba saboda dalilai masu ma'ana. Bari mu ƙirƙiri fayil ɗin sabis don sarrafa Consul ta hanyar systemd:
root@consul-livelinux-01:~# nano /etc/systemd/system/consul.service
Abubuwan da ke cikin fayil ɗin consul.service:
[Unit]
Description=Consul Startup process
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c '/usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui'
TimeoutStartSec=0
[Install]
WantedBy=default.targetKaddamar da Consul ta hanyar systemctl:
root@consul-livelinux-01:~# systemctl start consul
Bari mu bincika: dole ne sabis ɗinmu ya kasance yana gudana, kuma ta hanyar aiwatar da umarnin membobin ofishin ya kamata mu ga sabar mu:
root@consul-livelinux:/etc/consul.d# consul members
consul-livelinux 172.30.0.15:8301 alive server 1.5.0 2 dc1 <all>Mataki na gaba: shigar da Nginx da kafa proxying da izinin http. Mun shigar da nginx ta hanyar mai sarrafa fakitin kuma a cikin /etc/nginx/sites-enabled directory muna ƙirƙirar fayil ɗin sanyi consul.conf tare da abubuwan da ke biyowa:
upstream consul-auth {
server localhost:8500;
}
server {
server_name consul.doman.name;
location / {
proxy_pass http://consul-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Kar a manta don ƙirƙirar fayil ɗin .htpasswd kuma ƙirƙirar sunan mai amfani da kalmar wucewa don shi. Ana buƙatar wannan abu don kada rukunin yanar gizon ya kasance ga duk wanda ya san yankinmu. Koyaya, lokacin kafa Gitlab, dole ne mu watsar da wannan - in ba haka ba ba za mu iya tura aikace-aikacen mu zuwa Nomad ba. A cikin aikina, duka Gitlab da Nomad suna kan yanar gizo mai launin toka kawai, don haka babu irin wannan matsala a nan.
A kan sauran sabobin biyu muna shigar da wakilai na Consul bisa ga umarnin da ke gaba. Muna maimaita matakan tare da fayil ɗin binary:
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# mv consul /usr/local/bin/Ta hanyar kwatanci tare da uwar garken da ta gabata, muna ƙirƙirar kundin adireshi don fayilolin daidaitawa /etc/consul.d tare da tsari mai zuwa:
/etc/consul.d/
├── client
│ └── config.jsonAbubuwan da ke cikin fayil ɗin config.json:
{
"datacenter": "dc1",
"data_dir": "/opt/consul",
"log_level": "DEBUG",
"node_name": "nomad-livelinux-01",
"server": false,
"encrypt": "your-private-key",
"domain": "livelinux",
"addresses": {
"dns": "127.0.0.1",
"https": "0.0.0.0",
"grpc": "127.0.0.1",
"http": "127.0.0.1"
},
"bind_addr": "172.30.0.5", # локальный адрес вм
"start_join": ["172.30.0.15"], # удаленный адрес консул сервера
"ports": {
"dns": 53
}Ajiye canje-canje kuma matsa zuwa saita fayil ɗin sabis, abinda ke cikinsa:
/etc/systemd/system/consul.service:
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
User=root
Group=root
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/client
ExecReload=/usr/local/bin/consul reload
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.targetMun kaddamar da consul a kan uwar garke. Yanzu, bayan ƙaddamarwa, yakamata mu ga ingantaccen sabis a cikin membobin nsul. Wannan yana nufin cewa an yi nasarar haɗa ta zuwa gungu a matsayin abokin ciniki. Maimaita haka akan uwar garken na biyu kuma bayan haka zamu iya fara shigarwa da daidaitawa Nomad.
An bayyana ƙarin cikakken shigar Nomad a cikin takaddun hukuma. Akwai hanyoyin shigarwa na gargajiya guda biyu: zazzage fayil ɗin binary da haɗawa daga tushe. Zan zabi hanya ta farko.
Примечание: Aikin yana tasowa da sauri, ana fitar da sababbin sabuntawa sau da yawa. Wataƙila za a fitar da sabon sigar a lokacin da aka kammala wannan labarin. Don haka, kafin karantawa, ina ba da shawarar bincika nau'in Nomad na yanzu da zazzage shi.
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/nomad/0.9.1/nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# unzip nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# mv nomad /usr/local/bin/
root@nomad-livelinux-01:~# nomad -autocomplete-install
root@nomad-livelinux-01:~# complete -C /usr/local/bin/nomad nomad
root@nomad-livelinux-01:~# mkdir /etc/nomad.dBayan cire kayan, za mu karɓi fayil ɗin binaryar Nomad mai nauyin 65 MB - dole ne a motsa shi zuwa /usr/local/bin.
Bari mu ƙirƙiri kundin adireshi na bayanai don Nomad kuma mu gyara fayil ɗin sabis ɗin sa (wataƙila ba zai wanzu ba a farkon):
root@nomad-livelinux-01:~# mkdir --parents /opt/nomad
root@nomad-livelinux-01:~# nano /etc/systemd/system/nomad.serviceManna layin masu zuwa a wurin:
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.targetKoyaya, ba mu yi gaggawar ƙaddamar da nomad ba - har yanzu ba mu ƙirƙiri fayil ɗin daidaitawa ba:
root@nomad-livelinux-01:~# mkdir --parents /etc/nomad.d
root@nomad-livelinux-01:~# chmod 700 /etc/nomad.d
root@nomad-livelinux-01:~# nano /etc/nomad.d/nomad.hcl
root@nomad-livelinux-01:~# nano /etc/nomad.d/server.hcl
Tsarin shugabanci na ƙarshe zai kasance kamar haka:
/etc/nomad.d/
├── nomad.hcl
└── server.hclFayil ɗin nomad.hcl yakamata ya ƙunshi tsari mai zuwa:
datacenter = "dc1"
data_dir = "/opt/nomad"Abubuwan da ke cikin fayil ɗin uwar garken.hcl:
server {
enabled = true
bootstrap_expect = 1
}
consul {
address = "127.0.0.1:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
bind_addr = "127.0.0.1"
advertise {
http = "172.30.0.5"
}
client {
enabled = true
}Kar a manta canza fayil ɗin sanyi akan sabar na biyu - a can za ku buƙaci canza ƙimar umarnin http.
Abu na ƙarshe a wannan matakin shine saita Nginx don wakili da kafa izinin http. Abubuwan da ke cikin fayil ɗin nomad.conf:
upstream nomad-auth {
server 172.30.0.5:4646;
}
server {
server_name nomad.domain.name;
location / {
proxy_pass http://nomad-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Yanzu za mu iya shiga rukunin yanar gizon ta hanyar hanyar sadarwa ta waje. Haɗa kuma je zuwa shafin sabobin:
Hoto 1. Jerin sabobin a cikin gungun Nomad
Dukansu sabobin an yi nasarar nuna su a cikin panel, za mu ga abu iri ɗaya a cikin fitowar umarnin matsayi na nomad:
Hoto 2. Fitar da umurnin matsayi nomad nomad
Me game da Consul? Mu duba. Jeka kwamitin kula da Consul, zuwa shafin nodes:
Hoto 3. Jerin nodes a cikin gungu na Consul
Yanzu muna da shirin Nomad da ke aiki tare da Consul. A mataki na ƙarshe, za mu je sashin nishaɗi: saita isar da kwantena na Docker daga Gitlab zuwa Nomad, da kuma yin magana game da wasu fasalulluka na musamman.
Ƙirƙirar Gitlab Runner
Don tura hotunan docker zuwa Nomad, za mu yi amfani da mai gudu daban tare da fayil ɗin binaryar Nomad a ciki (a nan, ta hanya, za mu iya lura da wani fasalin aikace-aikacen Hashicorp - kowane ɗayansu fayil ne na binary guda ɗaya). Loda shi zuwa ga jagorar mai gudu. Bari mu ƙirƙirar Dockerfile mai sauƙi don shi tare da abun ciki mai zuwa:
FROM alpine:3.9
RUN apk add --update --no-cache libc6-compat gettext
COPY nomad /usr/local/bin/nomad
A cikin wannan aikin muna ƙirƙirar .gitlab-ci.yml:
variables:
DOCKER_IMAGE: nomad/nomad-deploy
DOCKER_REGISTRY: registry.domain.name
stages:
- build
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}A sakamakon haka, za mu sami hoton mai gudu na Nomad a cikin Gitlab Registry, yanzu za mu iya zuwa kai tsaye wurin ajiyar aikin, ƙirƙirar Pipeline da daidaita aikin nomad na Nomad.
Saitin aikin
Bari mu fara da fayil ɗin aikin na Nomad. Aikina a cikin wannan labarin zai kasance na farko: zai ƙunshi ɗawainiya ɗaya. Abubuwan da ke cikin .gitlab-ci za su kasance kamar haka:
variables:
NOMAD_ADDR: http://nomad.address.service:4646
DOCKER_REGISTRY: registry.domain.name
DOCKER_IMAGE: example/project
stages:
- build
- deploy
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad-runner/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${CI_COMMIT_SHORT_SHA}
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}
deploy:
stage: deploy
image: registry.example.com/nomad/nomad-runner:latest
script:
- envsubst '${CI_COMMIT_SHORT_SHA}' < project.nomad > job.nomad
- cat job.nomad
- nomad validate job.nomad
- nomad plan job.nomad || if [ $? -eq 255 ]; then exit 255; else echo "success"; fi
- nomad run job.nomad
environment:
name: production
allow_failure: false
when: manualAnan turawa yana faruwa da hannu, amma kuna iya saita shi don canza abubuwan da ke cikin kundin tsarin aiki. Bututun ya ƙunshi matakai biyu: haɗa hotuna da tura shi zuwa makiyaya. A mataki na farko, muna harhada hoton docker mu tura shi cikin Registry, a na biyu kuma mun kaddamar da aikinmu a Nomad.
job "monitoring-status" {
datacenters = ["dc1"]
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "15s"
healthy_deadline = "5m"
}
group "zhadan.ltd" {
count = 1
update {
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
}
task "service-monitoring" {
driver = "docker"
config {
image = "registry.domain.name/example/project:${CI_COMMIT_SHORT_SHA}"
force_pull = true
auth {
username = "gitlab_user"
password = "gitlab_password"
}
port_map {
http = 8000
}
}
resources {
network {
port "http" {}
}
}
}
}
}Da fatan za a lura cewa ina da rajista mai zaman kansa kuma don samun nasarar cire hoton docker Ina buƙatar shiga ciki. Mafi kyawun mafita a wannan yanayin shine shigar da login da kalmar sirri a cikin Vault sannan a haɗa shi da Nomad. Nomad na asali yana goyan bayan Vault. Amma da farko, bari mu shigar da mahimman manufofin Nomad a cikin Vault kanta; ana iya sauke su:
# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
# Write the policy to Vault
$ vault policy write nomad-server nomad-server-policy.hcl
# Create the token role with Vault
$ vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.jsonYanzu, bayan ƙirƙirar manufofin da suka dace, za mu ƙara haɗin kai tare da Vault a cikin toshe ɗawainiya a cikin fayil ɗin job.nomad:
vault {
enabled = true
address = "https://vault.domain.name:8200"
token = "token"
}Ina amfani da izini ta alama kuma in yi rijista ta kai tsaye a nan, akwai kuma zaɓi na ƙididdige alamar a matsayin mai canzawa lokacin fara wakilin nomad:
$ VAULT_TOKEN=<token> nomad agent -config /path/to/config
Yanzu za mu iya amfani da maɓallan tare da Vault. Ka'idar aiki mai sauƙi ce: muna ƙirƙirar fayil a cikin aikin Nomad wanda zai adana ƙimar masu canji, misali:
template {
data = <<EOH
{{with secret "secrets/pipeline-keys"}}
REGISTRY_LOGIN="{{ .Data.REGISTRY_LOGIN }}"
REGISTRY_PASSWORD="{{ .Data.REGISTRY_LOGIN }}{{ end }}"
EOH
destination = "secrets/service-name.env"
env = true
}Tare da wannan hanya mai sauƙi, zaku iya saita isar da kwantena zuwa gungu na Nomad kuma kuyi aiki tare da shi a nan gaba. Zan ce har zuwa wani lokaci na tausayawa Nomad - ya fi dacewa da ƙananan ayyuka inda Kubernetes zai iya haifar da ƙarin rikitarwa kuma ba zai gane cikakkiyar damarsa ba. Bugu da kari, Nomad cikakke ne ga masu farawa — yana da sauƙin shigarwa da daidaitawa. Koyaya, lokacin gwaji akan wasu ayyukan, na gamu da matsala tare da sigoginsa na farko - yawancin ayyuka na yau da kullun ba su nan ko kuma ba sa aiki daidai. Koyaya, na yi imanin cewa Nomad zai ci gaba da haɓaka kuma a nan gaba za ta sami ayyukan da kowa ke buƙata.
Mawallafi: Ilya Andreev, Alexey Zhadan da ƙungiyar Live Linux suka shirya
source: www.habr.com